The Cybersecurity and Infrastructure Security Agency (CISA) added two more security vulnerabilities to its exploit catalog today.

The first is a Microsoft Exchange elevation of privilege bug tracked as CVE-2022-41080 which can be chained with bug CVE-2022-41082 ProxyNotShell to achieve remote code execution.

Texas-based cloud computing provider Rackspace confirmed a week ago the Play ransomware gang exploited it as zero day to bypass Microsoft ProxyNotShell URL Rewrite Mitigation and escalate permissions on compromised Exchange servers.

The exploit used in the attack, dubbed OWASSRF by the CrowdStrike security researchers who spotted it, was also shared online along with some of the other malicious Play ransomware tools.

This will likely make it easier for other cybercriminals to create their own custom exploits or adapt the Play ransomware tool for their own purposes, adding to the urgency to update the vulnerability as soon as possible.

Organizations with on-premises Microsoft Exchange servers are advised to deploy the latest Exchange security updates immediately (November 2022 being the minimum patch level) or disable Outlook Web Access (OWA) until they can apply patches CVE-2022-41080.

The second vulnerability that CISA has added to its catalog of known exploited vulnerabilities (KEVs) is a zero-day elevation of privilege (CVE-2023-21674) in Windows Advanced Local Procedure Call (ALPC), marked as exploited in attacks and patched by Microsoft for this month’s Patch Tuesday.

Federal agencies must patch until the end of January

A BOD 22-01 Binding Operational Directive released by CISA in November 2021 requires all civilian Federal Executive Branch (FCEB) agencies to secure their networks against bugs added to the KEV Catalog.

Today, CISA gave FCEB agencies three weeks, until January 31, to fix the two security flaws and block potential attacks targeting their systems.

Although this directive only applies to U.S. federal agencies, CISA strongly encouraged all organizations to patch these vulnerabilities to thwart exploit attempts.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned today.

Since the release of BOD 22-01, CISA has added more than 800 security vulnerabilities to its list of exploited-in-the-wild bugs, forcing federal agencies to address them on a tighter schedule to avoid potential security vulnerabilities. security.